Re: Ideas for stopping ssh brute force attacks

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



Robert Moskowitz wrote:
Rudi Ahlers wrote:
lucian@xxxxxxxxxxx wrote:
On Tue, 22 Jul 2008 16:34:54 +0200
Rudi Ahlers <Rudi@xxxxxxxxxxx> wrote:

Bowie Bailey wrote:
Bo Lynch wrote:
just wanted to get some feedback from the community. Over the last
few days I have noticed my web server and email box have attempted
to ssh'd to using weird names like admin,appuser,nobody,etc....
None of these are valid users. I know that I can block sshd all
together with iptables but that will not work for us. I did a
little research on google and found programs like sshguard and
sshdfilter. Just wanted to know if anyone had any experience with
anything like these programs or have any other advice. I really
appreciate it.
The simplest thing is to change the port. I know it's "security
through obscurity", but it works well and can be used along with
whatever other security enhancements you care to use.

By changing the ports on all our servers to a high (above 1024) port,
we have eliminated SSH scans altogether - been running like that for
a few years now without any problems.

I also add a small script in /etc/profile to email me when someone
logs in via SSH, since only a few privileged ppl should use SSH
altogether


Interesting idea with this script thing. Can you provide more details or
the script?
_______________________________________________
Yea, it's simple :)



echo 'SSH (localhost.localdomain) on:' `date` `who` | mail -s "Alert: Access from `who | cut -d"(" -f2 | cut -d")" -f1`" xxxxx@xxxxxxx

OK. A chance to learn some more for me.

Is there a 'best' placement for this script in /etc/profile? Is localhost.localdomain a placeholder here for foo.bar.com?


_______________________________________________
I put stuff like that right at the end, and localhost.localdomain is basically the server's name, from where I copied this script, so replace that with my.linux.server.com - or whatever

--

Kind Regards
Rudi Ahlers

Check out my technical blog, http://blog.softdux.com for Linux or other technical stuff

_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos

[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux